Enable Hyper-V via Intune with Remediation Scripts

The purpose of the blog post is to inform you how to enable Hyper-V via Intune on Windows 10 or Windows 11. Hyper-V is required for e.g. Windows Defender Credential guard, Application Guard and Application Control. You can enable Hyper-V in various ways, but I’ll explain in this blogpost the Proactive remediations Script method.

Requirements Intune:

Microsoft Intune license
Windows 10/11 Enterprise E3/E5 Or Microsoft 365 F3/E3/E5 license
Intune MDM managed device
Intune Admin or Global Admin Role
Endpoint Analytics

Requirements Device:

Hypervisor enabled in BIOS
Windows 10 Enterprise/Pro/Education min. 1709
64bit processor
4GB memory

Note. I use the PowerShell command Enable-WindowsOptionalFeature to enable Hyper-V via Intune. I’ve decided to use a PowerShell script and the built-in Proactive remediations method via Intune. If you want to enable Hyper-V via Intune but not want or able to use Remediation scripts, you can use the PowerShell method what I explain in another blog post.

You can also enable Hyper-V via the DISM Command and/or wrap the PowerShell script in a Win32 app.

My opinion is that the Apps section in Intune should only be used for installing applications and should not be misused for any other purpose.

PowerShell Scripts

PowerShell is commonly used for automating the management of systems. It will also be used to build, test, and deploy solutions, often in CI/CD environments. PowerShell is built on the .NET Common Language Runtime (CLR). All inputs and outputs are .NET objects.

More information about PowerShell can be found here

Remediation Scripts

Proactive remediations help you fix common issues before end-users notice issues. Proactive remediations are script packages that can detect and fix common issues on a user’s device. It can also be used for required configuration such. We will use proactive remediation to enable Hyper-V via Intune.

Each script package consists of a detection script, a remediation script, and metadata.

More information about Proactive remediation can be found here

How to verify Hyper-V Hardware compatibility

Almost all corporate device models support Hyper-V, especially the modern ones. If you want to be sure if your device supports Hyper-V. Start with checking the operating system and hardware requirements. After checking the requirements you have to check the compatibility. You can use the following CMD or PowerShell command: systeminfo. If all listed Hyper-V requirements have a value of Yes, your system can run the Hyper-V role. If any item returns No, check the requirements and make adjustments where possible.

More information about Hyper-V requirements and compatibility can be found here

PowerShell script to be uploaded to Intune

Enable Hyper-V with GUI Enable Hyper-V without GUI

Detection Script:

# Microsoft-Hyper-V-Hypervisor detection
$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "C:WindowsLogsHyper-V-Detection.log"

# Check if Hyper-V and GUI are enabled.
if($Hyper_v_Full -eq "Enabled" -and $Hyper_V_GUI -eq "Enabled")
{
    Write-host "Microsoft Hyper-V installation has been detected" 
    Exit 0
}
else
{
    Write-host "Microsoft Hyper-V installation has not been detected"
    Exit 1
}

Stop-Transcript

Remediation Script:

# Microsoft-Hyper-V-Hypervisor remediation
$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "C:WindowsLogsHyper-V-Remediation.log"

Try
{
#Check if Hyper-V is disabled.
    if($Hyper_v_Full -eq "Disabled") 
    { 
        Write-host "Enabling Microsoft-Hyper-V...."
        #Enable Hyper-V GUI
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
        if($Hyper_v_Full -eq "Enabled") 
        { 
            #Check if Hyper-V is Enabled.
            Write-host "Microsoft-Hyper-V has succesfully been installed"
        }
    }

#check if Hyper-V GUI is Enabled
    if($Hyper_V_GUI -eq "Disabled") 
    { 
        Write-host "Disabling Microsoft-Hyper-V GUI...."
        #Enabled Hyper-V GUI
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients -NoRestart
        #Check if Hyper-V GUI is disabled.
        if($Hyper_V_GUI -eq "Disabled")
        { 
            Write-host "Microsoft Hyper-V GUI has succesfully been installed" 
        }
    }
}
Catch
    {
        Write-host "$error"
    }

Stop-Transcript

Detection Script:

# Microsoft-Hyper-V-Hypervisor detection
$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "C:WindowsLogsHyper-V-Detection.log"

# Check if Hyper-V is enabled and GUI is disabled.
if($Hyper_v_Full -eq "Enabled" -and $Hyper_V_GUI -eq "Disabled")
{
  	Write-host "Microsoft Hyper-V installation has been detected and GUI is deleted succesfully"
    Exit 0
}
else
{
    Write-host "Microsoft Hyper-V installation has not been detected or Hyper-V GUI is detected"
    Exit 1
}

Stop-Transcript

Remediation Script:

# Microsoft-Hyper-V-Hypervisor remediation
$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "C:WindowsLogsHyper-V-Remediation.log"

Try
{
#Check if Hyper-V is disabled.
    if($Hyper_v_Full -eq "Disabled") 
    { 
        Write-host "Enabling Microsoft-Hyper-V...."
        #Enable Hyper-V GUI
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
        if($Hyper_v_Full -eq "Enabled") 
        { 
            #Check if Hyper-V is Enabled.
            Write-host "Microsoft-Hyper-V has succesfully been installed"
        }
    }

#check if Hyper-V GUI is Enabled
    if($Hyper_V_GUI -eq "Enabled") 
    { 
        Write-host "Disabling Microsoft-Hyper-V GUI...."
        #Disable Hyper-V GUI
        Disable-WindowsOptionalFeature -online -FeatureName Microsoft-Hyper-V-Management-Clients -NoRestart
        #Check if Hyper-V GUI is Enabled.
        if($Hyper_V_GUI -eq "Enabled") 
        { 
            Write-host "Microsoft-Hyper-V GUI has succesfully been uninstalled"
        }    
    }
}
Catch
    {
        Write-host "$error"
    }

Stop-Transcript

How to enable Hyper-V via Intune with Proactive Remediation Scripts

Open Microsoft endpoint manager
In the menu select Reports
Click on Endpoint analytics in the menu under Analytics
Click on Proactive remediations
Or use the following link Endpoint analytics – Microsoft Endpoint Manager admin center
Click on Create script package
Provide a Name script name
Set a description, so that everyone with access to the portal knows the purpose of the script
Click on Next
Upload the Detection scripts and Remediation scripts.
Configure the following PowerShell script settings

Settings	Value
Run this script using the logged on credentials	No
Enforce script signature check	No
Run script in 64 bit PowerShell Host	Yes

Click on Next and on the Scope tags section click on Next
Assign remediation script to User or Device groups
Change the schedule via the 3 bullets and Click on Edit
Click on the dropdown list and change the frequency from Daily to Hourly and click on
Check on the review + create page if below settings are configured and click on Create

Assignment	Group	Schedule
Include	All user or All devices	Hourly
Exclude	Allow Hyper-V GUI

Upload the Detection scripts and Remediation scripts for “Enable Hyper-V with GUI”
Configure the same settings as you’ve configured for “Enable Hyper-V without GUI”
The only difference here is the assignment, this should only be applied to the exclude group (e.g. Allow Hyper-V GUI) that we have configured by Enable Hyper-V without GUI.

Results Intune Portal: